950 million Android phones can be hijacked by malicious text messages

Compliments of Ars Technica 

Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.

The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in “Stagefright,” an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.

The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month’s Black Hat security conference in Las Vegas, where he’s scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android.

Drake said all versions of Android after and including 2.2 are potentially vulnerable and that it’s up to each device manufacturer to patch the bug. So far, very few devices have been patched, leading him to estimate that about 95 percent of devices—or about 950 million of them—are currently susceptible. Even Google’s Nexus 5 handsets, which typically receive security fixes long before most other Android handsets—remain vulnerable. Nexus 6 devices, meanwhile, were patched only recently against some but not all Stagefright attacks. Vulnerable devices running Android versions prior to 4.3 (Jelly Bean) are at the greatest risk, since earlier Android versions lack some of the more recent exploit mitigations. Fixes require an over-the-air update.

Enter Firefox

Interestingly, the Stagefright vulnerability also affects Firefox on all platforms except Linux, and that includes the Firefox OS. Firefox developers have patched the vulnerability in versions 38 and up.

“If you install Firefox 38, you can no longer get exploited directly via Firefox,” Drake told Ars. “However, if I make your Firefox download the malicious video instead of trying to play it with a tag, it will still reach the vulnerable Android code.”

SilentCircle, maker of the Blackphone Android handset, has also patched the vulnerability in its PrivatOS with the release of version 1.1.7.

Read More

Hackers Remotely Kill a Jeep on the Highway

Compliments of Wired 

I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.”1

Charlie Miller (left) and Chris Valasek hacking into a Jeep Cherokee from Miller's basement as I drove the SUV on a highway ten miles away. Click to Open Overlay Gallery

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.

Read More 

Cajon Pass Fire

Compliments of KTLA

A dangerous, fast-moving wildfire spread through the Cajon Pass on Friday, damaging several homes and threatening about 50 others after jumping the 15 Freeway and destroying some 20 vehicles stopped on the pavement.

A helicopter drops water on vehicles burning on the 15 Freeway during the North Fire on July 17, 2015. (Credit: KTLA)

The fire started about 2:30 p.m. off the freeway just north of State Route 138 (map), prompting the closure of all southbound and northbound lanes of the 15 Freeway. Responding fire crews were stuck in the resulting gridlock and CHP was urging drivers to avoid the area.

The North Fire was at 500 acres about 3:45 p.m., and firefighting aircraft were temporarily grounded due to drone activity, the San Bernardino County Fire Department stated on Twitter. Two hours later, the fire was at 3,500 acres. By 8:30, the blaze was still only 5 percent contained, according to the fire officials.

Five homes had burned and about 50 were threatened in the Baldy Mesa area, the Fire Department tweeted around 5:30 p.m. Fire officials later stated that four structures had been destroyed.

A home in Baldy Mesa goes up in flames in the North Fire on July 17, 2015. (Credit: KTLA)

A number of fire engines could be seen positioned outside homes, providing structure protection and putting out spot fires, aerial video from Sky5 showed.

An evacuation center was set up at Serrano High School, at 9292 Sheep Creek Road in Phelan. An animal shelter was also opened at the San Bernardino County Fairgrounds, at 14800 Seventh St. in Victorville.

Mandatory evacuations were ordered for the Baldy Mesa area east of Sheep Creek Road, north and west of the 15 Freeway, and south of Phelan Road (map). The area consists of scattered homes and ranches.

“Currently we have not only a multi-casualty incident, but a large wildfire threatening structures,” Josh Wilkins with the county Fire Department said.

A plane makes an aerial drop in the fight against the North Fire on Friday, July 17, 2015. (Credit: KTLA)

Hundreds of firefighters were sent to structures that were threatened in Baldy Mesa, Oak Hills and Phelan areas, Wilkins said.

Aerial video from Sky5 showed flames burning just feet from a ranch home on the northwest edge of the fire about 5:30 p.m.

The blaze began as a vegetation fire and was spread rapidly toward the Oak Hills area by 40 to 45 mph winds, according to Wilkins.

Only two minor injuries were reported, according to Melody Lardner of the San Bernardino National Forest.

Some 20 vehicles were destroyed and 10 were damaged when the fire jumped the southbound lanes of the 15 Freeway, soon after the blaze flared up.

Read More

Warming of oceans due to climate change is unstoppable, say US scientists

Compliments of The Guardian 

The warming of the oceans due to climate change is now unstoppable after record temperatures last year, bringing additional sea-level rise, and raising the risks of severe storms, US government climate scientists said on Thursday.

The annual State of the Climate in 2014 report, based on research from 413 scientists from 58 countries, found record warming on the surface and upper levels of the oceans, especially in the North Pacific, in line with earlier findings of2014 as the hottest year on record.

Global sea-level also reached a record high, with the expansion of those warming waters, keeping pace with the 3.2 ± 0.4 mm per year trend in sea level growth over the past two decades, the report said.

Scientists said the consequences of those warmer ocean temperatures would be felt for centuries to come – even if there were immediate efforts to cut the carbon emissions fuelling changes in the oceans.

“I think of it more like a fly wheel or a freight train. It takes a big push to get it going but it is moving now and will contiue to move long after we continue to pushing it,” Greg Johnson, an oceanographer at Noaa’s Pacific Marine Environmental Laboratory, told a conference call with reporters.

“Even if we were to freeze greenhouse gases at current levels, the sea would actually continue to warm for centuries and millennia, and as they continue to warm and expand the sea levels will continue to rise,” Johnson said.

On the west coast of the US, freakishly warm temperatures in the Pacific – 4 or 5F above normal – were already producing warmer winters, as well as worsening drought conditions by melting the snowpack, he said.

The extra heat in the oceans was also contributing to more intense storms, Tom Karl, director of Noaa’s National Centers for Environmental Information, said.

The report underlined 2014 as a banner year for the climate, setting record or near record levels for temperature extremes, and loss of glaciers and sea ice, and reinforcing decades-old pattern to changes to the climate system.

Four independent data sets confirmed 2014 as the hottest year on record, with much of that heat driven by the warming of the oceans.

Globally 90% of the excess heat caused by the rise in greenhouse gas emissions is absorbed by the oceans.

More than 20 countries in Europe set new heat records, with Africa, Asia and Australia also experiencing near-record heat. The east coast of North America was the only region to experience cooler than average conditions.

Read More 

Greeks take to streets against ‘barbaric’ bailout armed with petrol bombs, in most violent protest in two years

Compliments of Financial Post 

Greek anti-establishment protesters threw stones and dozens of petrol bombs at police in front of parliament on Wednesday before a key vote on a bailout deal, in some of the most serious violence in more than two years.

Police responded with tear gas, sending hundreds of people fleeing in central Syntagma Square.

Garbage cans and a vehicle belonging to a television crew were also set on fire. The clashes were brief and calm largely returned to the square, with a few hundred protesters staying on under heavy police surveillance.

Earlier, thousands took to the streets of Athens in a series of otherwise peaceful marches during the day to protest against the new bailout deal that saved Greece from bankruptcy but will impose more reforms on a country already deep in crisis.

Once a common sight in protest marches in Greece, clashes with police had been very rare since the leftist Syriza party came to power in January. About 30 people were detained, a police source said.

Just before the clashes, protesters marched waving banners reading “Cancel the bailout!” and “No to the policies of the EU, the ECB and the IMF.”

Pharmacists pulled down their shutters across Greece and civil servants walked off their jobs in protest in a 24-hour strike against reforms.

“Further austerity is unacceptable,” said Stavros Koutsioubelis, a spokesman for the ADEDY public sector union, urging lawmakers to reject the deal.

Opposition on the streets has so far been limited, however, and an opinion poll published on Tuesday suggested that more than 70 percent of people wanted parliament to approve the bailout.

Lawmakers are due to vote after midnight on the raft of tax hikes and pension reforms that are hard to accept for many in a country where unemployment has jumped above 25 percent and the economy has shrunk by a quarter in the course of two previous bailouts.

“The bailout to be voted today is against the people, it is against the workers. It is by far the most barbaric – even worse than the two previous ones which were also barbaric,” 19-year-old protester Dimitris said.

Read More 

OPM: 21.5 Million People Affected By Background Check Breach

Compliments of NBC

The U.S. Office of Personnel Management announced on Thursday that sensitive information including Social Security numbers for 21.5 million people was among the data stolen in a hack of its computer networks.

An investigation determined that this hack and a separate, smaller breach of an OPM database detected in April — that one involving information on 4.2 million people — were carried out by the same “actor” or “adversary,” OPM officials said.

There was overlap in the breaches: About 3.6 million people whose data were compromised in the smaller personnel records breach also had records taken in the larger background check hack, making a total of 22.1 million people — roughly 1 of every 15 Americans — affected by the twin cyberattacks, according to OPM officials.

The new numbers come one day after FBI Director James Comey, during testimony before the Senate Intelligence Committee, called the OPM hack an “enormous breach,” saying “millions and millions” of government records were stolen, including his own.

Officials have concluded that the larger breach, which targeted background investigation records kept by OPM, included Social Security numbers, information on family members and other contacts, as well as health and criminal records. The data haul also included an estimated 1.1 million fingerprint records.

In total, hackers are thought to have netted records on 19.7 million people who applied for background check investigations with the federal government, and another 1.8 million people including spouses who did not apply for a background check but whose information was included in the forms. Anyone who applied for a background check from 2000 on is likely to have had their information compromised, OPM said.

“I truly understand the impact this has had on our current and former federal employees, our military personnel, and our contractors,” OPM Director Katherine Archuleta told reporters Thursday on a conference call.

Among the forms used in federal background checks is the Standard Form 86, an 127-page document that delves into intimate questions about prior brushes with the law, drug use, psychiatric health, and info on friends and family members. It requires the applicant to put his or her Social Security number on nearly every page of the document.

Read More 

Hackception

Compliments of BBC

A company that sells surveillance software has been hit by a data breach.

Hackers said they had penetrated Hacking Team’s internal network and stolen more than 400GB of data.

The Italian company said it was working with police to track down the hackers.

Widely shared online, the stolen data includes a list of the countries that have bought Hacking Team’s main surveillance tool, Da Vinci, and emails suggesting intelligence agencies use it to spy on activists and journalists.

The list includes:

  • Azerbaijan
  • Chile
  • Egypt
  • Kazakhstan
  • Russia
  • Saudi Arabia
  • Spain
  • Sudan

Lists of passwords and login details for client sites were also revealed.

The hackers first published stolen data, including internal files, email messages and software source code, on Hacking Team’s own Twitter account, having first changed its name to “Hacked Team”.

Confirmation of the breach came via the Twitter account of Hacking Team engineer Christian Pozzi.

“We are awake. The people responsible for this will be arrested. We are working with the police at the moment,” he said in one message.

Soon after, this and other messages about the breach were removed as Mr Pozzi’s Twitter account was deleted.

Hacking Team’s website is also currently offline.

Security expert Graham Cluley said the company had “no shortage of online enemies around the world”.

Its software had been popular with intelligence agencies in many countries, he said, but he questioned how many would continue that relationship given that it had been “so seriously breached”.

Human rights group Reporters Without Borders had named Hacking Team as one of its “enemies of the internet” because its software was being used in countries that did not have a “good record on democracy and human rights”.

Read More 

Our prayers to all injured during the 4th of july

Compliments of Chicago Tribune

After a relatively quiet start to the Fourth of July weekend in Chicago, a burst of gun violence overnight left three dead and 27 people wounded in just eight hours, including a 7-year-old boy killed after returning from a celebration.

“It’s crazy,” said Vedia Hailey, the grandmother of the boy, Amari Brown. “Who would shoot a 7-year-old in the chest? Who would do that to a baby? When is it going to stop?”

From 9:20 p.m Saturday until 4:45 a.m. Sunday, 30 people were shot across Chicago, three of them fatally, including Amari.

The other victims included a 16-year-old boy and a 15-year-old girl shot shortly after midnight as they walked in Old Town, and a 19-year-old man shot around 10 p.m. Saturday as two groups fought near Navy Pier after the fireworks display.

Several of the shootings across the city involved multiple victims: Four people shot in one incident in Austin, three shot in Albany Park, and two victims in shootings in the West Chesterfield, Humboldt Park, Old Town and Fuller Park neighborhoods.

The worst burst of violence last Fourth of July in the city occurred during a 13-hour stretch from Sunday afternoon through early Monday morning: four dead and 26 wounded.

So far this holiday weekend in Chicago, seven people have been killed and 41 people wounded by gun violence. Last year, the toll was 82 people shot in 84 hours. Sixteen of them died.

Amari had been with his father in the Humboldt Park neighborhood on the West Side after spending the day at his grandmother’s house for a July Fourth celebration, Hailey said. Someone opened fire in the 1100 block of North Harding Street about 11:55 p.m. Saturday, hitting the 7-year-old boy in the right side of the chest and wounding a 26-year-old woman.

Both Amari and the woman were taken to Stroger Hospital, police said.

Read More

Authorities warn of possible terrorist threats around July 4

Compliments of CNN

Authorities are warning of possible terrorist threats around the July 4 holiday, several law enforcement officials told CNN on Friday.

The Department of Homeland Security, the FBI and the National Counterterrorism Center issued a joint intelligence bulletin to law enforcement across the U.S.

The bulletin doesn’t warn of any known active plots. But it serves as a general warning of heightened threats. It says extremists could launch attacks tied to Independence Day or in reaction to perceived defamation of the Prophet Mohammed.

CNN reported in recent weeks that U.S. law enforcement officials believe the Islamist terrorist threat is the highest in years. The officials have raised concern about possible domestic attacks tied to the July 4 holiday and the upcoming visit of Pope Francis.

The FBI and the Justice Department’s national security division have moved aggressively in recent weeks to arrest and charge extremists thought to be plotting attacks or supporting groups such as ISIS. The FBI has increased its surveillance and monitoring of some suspects.

Also on Friday, Department of Homeland Security Secretary Jeh Johnson issued a statement in response to the attacks in France, Tunisia and Kuwait, saying in part, “Particularly with the upcoming July 4th holiday here in the United States, the Department of Homeland Security and the FBI continue to communicate with state and local law enforcement about what we know and see.

“We are encouraging all law enforcement to be vigilant and prepared,” the statement continued. “We will also adjust security measures, seen and unseen, as necessary to protect the American people.”

Read More 

Kurds intent on carving new state out of Iraq after ISIS fight ‘whether the US likes it or not’

Compliments of FOX 

Kurdish fighters and leaders are intent on carving an independent state out of Northern Iraq after they wrest back vital territory from the Islamic State “whether the U.S. likes it or not,” according to American and international security forces on the ground.

Kurdish forces, whose commanders say they aren’t getting enough help from the U.S. and other allies, have been making headway against ISIS. But while re-taking Mosul from ISIS was seen as a key achievement by the U.S., the new focus is squarely on holding Kirkuk, a northern Iraqi city claimed by many to be the cultural Kurdish capital.

“They are pushing hard in Kirkuk to hold Kirkuk and keep ISIS out and once that is done, they will move forward with plans for their country,” one operator on the ground with direct connections to Kurdish leaders told Fox News. Another source, who is directly advising Kurdish leaders, said “they have only one goal, whether the U.S. likes it or not.”

Lahur Talabani, head of the Kurdistan Intelligence Agency, acknowledged his interest in making an independent nation a reality. “Everybody’s dream, every single Kurd, wants to have a free independent Kurdistan.” At the same time, he said surrounding nations that have Kurdish immigrants “will do everything within their power to stop us.”

“Of course we want to be free. It will be difficult, but we would love for it to happen right now,” he said.

For years, many within the autonomous region inside Iraq have lobbied for the establishment of an independent Kurdistan. But with a raging battle against ISIS, some Kurds are intent on making it happen.

A Kurdish nation would deal a blow to ongoing Western efforts to keep Iraq united, and also increase pressure on Turkey, which has a sizeable Kurdish population that might try and unite with a neighboring new nation. There are also significant Kurdish populations in two other neighboring countries, Syria and Iran.

In Syrian cities along the Turkish border, like Tal Abyad and Koabni, Kurds have fought ISIS forces for control, raising concerns in Turkey that Syrian Kurds would try to link up with the independence movement in Iraq.

There is also the issue of oil in and around Kirkuk, which would take much-needed money directly from Baghdad.

Read More